LastPass goes public over security vulnerabilties

LastPass has confirmed that it was alerted regarding security vulnerabilities in its bookmarketlets in August 2013, but claims its users were quickly protected against attack.

Cloud-powered password management service LastPass has spoken publicly about a pair of security flaws reported in August 2013 for the first time, but says that users have nothing to fear from the bugs.

LastPass is a popular cross-platform password management service, which stores users' usernames, passwords and other private details on remote servers. These details are reversibly encrypted using a master password, meaning that LastPass users need only remember a single password while having the ability to use a unique and complex password for every site and service they use.

It's a handy way of dealing with the issues surrounding secure passwords, but one that introduces a single point of failure: if an attacker gains access to the target's LastPass account, the attacker automatically gains access to every single site stored within the database - unless, of course, two-factor authentication is being used. That makes security vulnerabilities in the service a serious concern, and LastPass has confirmed that two such vulnerabilities were reported to the company in August last year.

The vulnerabilities were spotted by Zhiwei Li, a security researcher at the University of California at Berkeley, who notified the site and agreed to keep his discoveries a secret until the flaws could be patched. The first issue was a vulnerability in the LastPass bookmarklet system, which offers LastPass functionality in browsers for which there is no native plug-in, that could grant access to the LastPass account; the second, a vulnerability that could allow an attacking site to force the generation of an insecure one-time password through the same bookmarklet.

According to LastPass, the vulnerabilities were not as severe as they sound - they could only function in targeted attacks where the attacker already knows the target's LastPass username - and were resolved in September 2013. Now, Li is going public with a report on his discoveries - hence the new announcement from LastPass - but the company claims its users should be entirely secure. 'If you are concerned that you’ve used bookmarklets before September 2013 on non-trustworthy sites, you may consider changing your master password and generating new passwords,' the company confirmed in its statement, 'though we don’t think it is necessary.'